Time is nearly up. Get ready to comply with the final HIPAA breach notification rule (Final Rule). The Office of Civil Rights (OCR) within the Department of Health and Human Services will begin enforcement of the Final Rule on September 23, 2013.

Congress enacted the Health Information Technology and Clinical Health (HITECH) Act in February 2009. HITECH amended the Health Insurance Portability and Accountability Act (HIPAA) by, in part, expanding the HIPAA covered entity notice requirements when the protected health information (PHI) of one or more individuals has been improperly disclosed. OCR issued an interim final rule on breach notification in August 2009, and published the Final Rule on January 25, 2013. The Final Rule became effective in March 2013. However, OCR delayed enforcement until September 23, 2013.

I. Summary of Final Rule

The Final Rule requires HIPAA covered entities to notify affected individuals upon discovering a breach ofunsecured PHI. As described below, breach and unsecured are defined terms. The covered entity must be familiar with the definitions of these terms in order to determine whether it is required to give notice to affected individuals of an unauthorized disclosure of PHI. As explained in greater detail below, OCR modified the interim rule’s definition of breach in the Final Rule by eliminating the subjective “risk of harm” standard, and replacing it with a more objective risk assessment to determine whether the PHI has been compromised.

If a business associate is responsible for the breach, the business associate must notify the covered entity as soon as possible. The covered entity, and not the business associate, is required to report a breach to the affected individuals. The covered entity has 60 days from the date the breach is discovered (or would have been discovered if the covered entity had exercised reasonable diligence) to notify the individuals whose PHI has been disclosed. Sixty days passes quickly if a large number of individuals are involved in the breach, so it is important to begin gathering the necessary information as swiftly as possible.

In addition to the affected individuals, the covered entity must give notice to the local media and the Secretary of Health and Human Services (Secretary) if 500 or more individuals are affected.

Any breach of unsecured PHI will trigger the notification requirement unless one or more of three exceptions discussed below applies.

II. Definitions of Breach and Unsecured

Breach means “the acquisition, access, use or disclosure of” PHI in violation of the HIPAA Privacy Rule or Security Rule that “compromises the security or privacy” of the PHI. The interim final rule had required a “risk of harm” analysis to determine whether the acquisition, access, use or disclosure of PHI posed “a significant risk of financial, reputational, or other harm to the individual”. However, OCR concluded, after receiving comments on the interim rule, that the “risk of harm” standard was too subjective and removed it from the Final Rule. Under the Final Rule, any acquisition, access, use or disclosure of unsecured PHI is presumed to be a breach. Breach notification is required, unless the covered entity conducts a risk assessment and determines a “low probability” exists that PHI has been compromised by the unauthorized disclosure.

Unsecured PHI means PHI that “is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary.” The Secretary has determined that PHI is secure only if it has been encrypted or destroyed. Other methods of protecting PHI, such as access codes (e.g., passwords) for electronic PHI, or redaction of identifying information on paper records, are not sufficient.

The unauthorized release of secure (i.e., encrypted) PHI is not a breach, and, therefore, the covered entity is not required to report an unauthorized disclosure of secure PHI to affected individuals.

III. Risk Assessment for Low Probability of Compromised PHI

When an unauthorized disclosure of PHI occurs, the disclosure is presumed to be a breach unless either (i) an exception applies, or (ii) the covered entity conducts a risk assessment and demonstrates a low probability that the PHI has been compromised. An assessment of low probability must include, at a minimum, each of the following:

1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;

2. The unauthorized person who used the PHI or to whom the disclosure was made;

3. Whether the PHI was actually acquired or viewed; and

4. The extent to which the risk to the PHI has been mitigated.

In addition, the covered entity must evaluate the overall possibility that the PHI has been compromised by considering all other relevant information in combination with these four factors. OCR expects that “low probability” risk assessments will be thorough, completed in good faith, and that the conclusions will be reasonable.

If the covered entity determines that an unauthorized disclosure constitutes a breach, then it must notify the affected individuals.

IV. Exceptions

Congress recognized in the HITECH Act three exceptions to the statutory definition of breach. The three exceptions, which are expressed in the Final Rule, are as follows:

1. The unintentional acquisition, access or use of PHI by an employee or individual acting under the authority of a covered entity or business associate, provided the unintentional acquisition, access or use was made in good faith, was within the scope of authority, and does not result in further use or disclosure of the PHI.

2. The inadvertent disclosure of PHI from one person authorized to access protected health information at a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate and the inadvertent disclosure does not result in further use or disclosure of the PHI.

3. An unauthorized disclosure in which an unauthorized person to whom protected health information is disclosed would not reasonably have been able to retain the information.

V. Notice Requirements

The covered entity must give notice to individuals affected by a breach within 60 days of discovering the breach (subject to the reasonable diligence standard mentioned earlier). The notice must include the following to the extent possible:

1. A brief description of the breach, including the date of the breach and the date on which it was discovered;

2. A description of the unsecured PHI involved in the breach (e.g., full name, social security number, diagnosis);

3. A description of the steps the individual should take in order to protect himself/herself from potential harm caused by the breach;

4. A description of the steps the covered entity is taking to investigate and mitigate the breach, and prevent future breaches; and

5. Instructions to enable the individual to contact the covered entity, including a toll-free telephone number, an email address, web site or postal address.

If the breach involves fewer than 500 individuals, the covered entity must create a record documenting the breach. The covered entity must provide the Secretary a copy of the record within 60 days of the end of each calendar year via the web portal for the Department of Health and Human Services.

If the breach involves 500 individuals or more, the covered entity must notify local media outlets and the Secretary.

VI. State Reporting Requirements

An unauthorized disclosure of PHI under HIPAA may also implicate the reporting requirements of individual states and require reporting to state authorities. For example, notice must be given under Massachusetts Chapter 93H to affected individuals if the unauthorized disclosure of PHI includes an individual’s social security number, driver’s license number or a financial account number (e.g., credit card). Massachusetts recognizes the HIPAA notice of breach as sufficient notice to the individual under Chapter 93H. However, separate notices must be sent to the Attorney General and the Office of Consumer Affairs and Business Regulation.

If you have any questions about this topic, please contact Ruselle W. Robinson in our Health Care Group.

Thank you for your interest in our firm. Before sending us an email, we ask that you please confirm your understanding of the following information. Our Web site, www.pbl.com, is intended for general use and is not legal advice. Your email is not intended to create, and our receipt of it does not create or constitute, an attorney-client relationship. Any information that you provide to anyone at our firm cannot be considered confidential or privileged unless we agree to represent you. By sending this email, you confirm that you have read and understand this notice.